Can FreeRADIUS proxy accounting requests to multiple systems?

Alan DeKok aland at deployingradius.com
Thu Jun 12 21:16:01 CEST 2008 

Sylvain Robitaille wrote:
> I'm looking to have both of these systems proxy incoming accounting
> data to each other, so that they both have complete, up-to-date data
> regarding which users are presently authenticated on which services,

  That should be easy.  See the "detail" file readers in
raddb/sites-available/copy-acct-to-home-server.

> but
> I'd also like to have them proxy the accounting data to a third system
> (commercial "appliance" type of system, though I understand that it does
> use FreeRADIUS as its RADIUS server) which might act as our wireless
> network management system (we're presently evaluating it).

  It's one of 3 products, all of which are (so far as I know) years out
of date in their version of FreeRADIUS.

> I've been trying to understand the comments in
> raddb/sites-available/copy-acct-to-home-server, raddb/proxy.conf, and
> the relevant parts of raddb/radiusd.conf, but I'm not sure I have yet
> understood whether what I want can be done: proxy accounting-request
> packets from both "production" RADIUS servers to each other AND to the
> wireless network management system (though I expect that the NMS would
> get from each RADIUS server only accounting-request packets that weren't
> already proxied from the partner RADIUS server, to avoid it receiving
> duplicate data).

  That can be done.  You just have to set it up carefully.  If all else
fails, add attributes to the accounting packet saying where it was
proxied to, and then don't re-proxy it there...

> I've started setting up proxy.conf as indicated below my signature, and I
> expect I'll need a sites-enabled/copy-acct-to-home-server, but I'm pretty
> sure that the proxy.conf as I now have it would not proxy the requests
> to both the partner RADIUS server and the wireless network management
> system at the same time (not "failover" nor "load-balance", but proxy
> to both simultaneously).  I'm hoping that someone can offer guidance.

  You will need two versions of "copy-acct-to-home-server", one for each
destination.  Set up one first and get it working.  Then set up another
one and get it working.  Then, ensure that requests sent to one server
don't end up getting proxied through 2 other servers back to itself.

  Alan DeKok.

More information about the Freeradius-Users mailing list